On 29/04/2019 22:14, Klaus Darilion wrote:
Can you give an example how those dynblockrules can be used to filter
above "attack"? The main problem with rate-limiting NXDOMAIN is, that
you need to ask the authoritative to get a response and check if it is
NXDOMAIN. Then, dropping the response is actually no help as the
authoritative still gets the query load.
In the normal case, suppressing responses may be a good thing to do, if
the actual problem is that the DNS responses are part of a DoS attack
(i.e. the DNS queries came in with spoofed source addresses). The
responses cause your IP reputation to suffer - and burn outbound bandwidth.
Also if the source IP is random, you can not block a source-IP after
too many NXDOMAINs.
That is true, but:
1. In that case, how would you propose dealing with random source IPs?
That is: how could you tell the difference between a valid query which
demands an NXDOMAIN response, mixed in with the "attacking" queries?
2. Why would someone send you lots of queries with *random* source IPs?
Have you analyzed them, are you sure they're random? An attacker would
normally put a victim's IP in the source, or a small set of victim
source IPs. Sending truly random source IPs wouldn't achieve very much,
apart from wasting your resources (and theirs).
Regards,
Brian.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
